Category Archives: DNS

Open DNS resolvers and patching them !

Before getting to know what is an open resolver, you need to know what is recursion, ie recursive queries !

Suppose you have a DNS server configured and a local machine which uses your DNS server queries for a website. Imagine this query is a new one and its not in the local cache of the machine which made the request. Once this request reaches your DNS server, it will attempt to find the website in question in its local cache. If it cannot find an answer it will query other DNS servers on your behalf until it finds the address. It will then respond to the original request with the results from each server’s query. This scenario is fine, because the local machine which made the initial request is trusted by you. What if another machine which isn’t trusted by you, queries your DNS server for the same ? Then your DNS is an Open resolver.

An open DNS resolver is a name server that provides a recursive name resolution for non local clients or users. Basically it’s a name server that provides recursive replies for every system on the internet. Local users or “authorized” clients are users on networks that you control and/or that you trust. Recursive replies are the result of following the chain of delegations found in DNS, ending up at the domain name that was requested by the original user.

Open DNS resolvers are frequently being abused to conduct efficient DDoS attacks towards websites, infrastructure and services. In a DNS amplification DDoS attack, the attacker sends a DNS name lookup request to an open DNS resolver with the source address spoofed to be the victim’s address.

When the DNS server sends the DNS record response, it is sent
to the victim (the source address that was used in the spoofed request). Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. Dont think it would affect just the victim. Essentially this means that your equipment is taking part in a botnet leveraging a DDoS attack towards other systems, potentially causing disruption of services and harm.

If your systems take part in such a DDoS attack then your own network, server and services infrastructure too can easily become congested.

To get around this issue, configure your DNS server to either disable recursion or allow recursion from trusted set of IPs.

For named, recursion can be disabled by adding the following line to your /etc/named.conf file :

options {

recursion no;


You can allow recursion from a trusted set of IPs by giving the following

options {

allow-recursion {; IP1; IP2; }; //include your server IPs and
your provider’s nameserver IPs and whichever IPs you feel can be trusted.

Suppose you have a DNS server and you have configured your named as :

allow-recursion { IP1;IP2; } ;

Try the following from the machine with IP1,

# nslookup x.x.x.x ( x.x.x.x is the DNS server IP )

The result would be :


(root) nameserver = J.ROOT-SERVERS.NET
(root) nameserver = K.ROOT-SERVERS.NET
(root) nameserver = L.ROOT-SERVERS.NET
(root) nameserver = M.ROOT-SERVERS.NET
(root) nameserver = A.ROOT-SERVERS.NET
(root) nameserver = B.ROOT-SERVERS.NET
(root) nameserver = C.ROOT-SERVERS.NET
(root) nameserver = D.ROOT-SERVERS.NET
(root) nameserver = E.ROOT-SERVERS.NET
(root) nameserver = F.ROOT-SERVERS.NET
(root) nameserver = G.ROOT-SERVERS.NET
(root) nameserver = H.ROOT-SERVERS.NET
(root) nameserver = I.ROOT-SERVERS.NET


Suppose you made the same query from an IP which is not defined in allow-recursion, then you get the following :

Server: x.x.x.x                                                                                 Address: x.x.x.x#53

** server can’t find REFUSED

So consider about tweaking your DNS server, if its an Open resolver.


Troubleshooting issues with named !

When you have a server without any control panel, it becomes a pain in the arse to manage the services, especially the DNS service.

You have got the tedious job of installing bind, altering the configuration file, manually creating the zone files and so on.

Here are some tips which might help you :

— Navigate to your named.conf file and first make sure that your named service is set to listen to interfaces other than localhost alone.

The default setting which would come along in named.conf would be the following :

# listen-on port 53 {; };

# allow-query  {; };

Change the above lines to :

# listen-on port 53 { any; };

# allow-query  { any; };

If the service is allowed to bind to, external queries would not be replied back. Attempting to connect to port 53 from external hosts using tools such as telnet would result in a ‘connection refused’

You will only be able to resolve the zones internally. For eg,

dig @localhost would only work with named pinned to alone

— To check if there are any errors associated with the named.conf file, run the following

# named-checkconf /path-to-named.conf

– Once the zones are created, you can check if they posses any configuration errors :

# named-checkzone IP /path-to-zone-file-to-be-checked

You may avail online zone file creators if you are not familiar with the syntax. Click here to create a zone file of your requirement.

Note on serial numbers :

When adding the serial number in a zone file, you must use the format — YYYYMMDDNN

NN stands for increment number starting from 01, whenever you edit the zone file increase its value by +1


Named not starting in Plesk !

When trying to restart named, you get an error stating that some parameter is not given correctly in a zone file.

It would be a reverse PTR zone file with name something like this:

Open the zone file using vim , like :

# vim /var/named/run-root/var/

When you check the file, you can see a mis-configuration in a particular line when compared with other lines. You can easily spot that with your naked eye.

Edit that misconfigured line (check how other lines are written ) and save it and restart named service.

This is a bug which is seen in older versions of Plesk.

Too much denied named queries ?

When you have setup a production box, running with a DNS server ( named service, in this matter ), you get tones of queries. If you have disabled recursion, lesser the number of DNS workload.

While going through your /var/log/messages, have you found lots of query ( cache ) denied messages ? Something like this ?

Date host named[28251]: client IP#xxxxx: view external: query (cache) '' denied

Check whether the domains to which these queries are directed are present in the server or not.

If you find that these domains once existed in the server and not now, we can conclude that domains are still pointed to the DNS servers even though the sites went out of business or went offline. 

In other words, they no longer have a DNS or HTTP entry, but the domains still exists and have their DNS records pointed here.

Resolution to this issue is

Add the following lines to /etc/named.conf ( named config file )
( Add under the section ‘options’

additional-from-auth no;
additional-from-cache no;

Once these settings are given, BIND will not follow out-of-zone records even if it is in the cache.

How do I clear my DNS cache !

The local DNS cache in your machine will store the locations  of web-servers/websites that contain pages which you have recently viewed.

If the location of these pages have  changed, you will be unable to access them due to the local DNS cache ( the one cached by your local machine, which you use to access the webpages )

Following shows you on how to clear DNS cache on different platforms :

* On a system running in windows, navigate to cmd and run the following :

# ipconfig/flushdns

* On a system running on OS X Mountain Lion, type in the following from terminal :

# sudo killall -HUP mDNSResponder

* On a system running on linux distro’s, run the following :

# sudo /etc/init.d/nscd restart

Install nscd ( name service cache daemon ) if not present :

# sudo apt-get install nscd or yum install nscd